[bb10adopter111]

A single word followed by 5 symbols is as strong as 6 words (52x average lifespan).

I've concluded that passphrases are dumb. Lol.

I just can't imagine having to type 35-40 characters into my phone every time I wake it up.

Conite, I think we all agree that typing in that many characters into a phone frequently would be inconvenient, and that not many people want to do that.

Finding the right balance of inconvenience vs. privacy and security is highly dependent on the threat model one is trying to address.

The entire premise of two-factor authentication is that it's based on something you know plus something you have. So, for most people's mobile phones the physical device is "something you have," and the password is "something you know." The level of security is then based on the degree of difficulty in an attacker obtaining both items.

For BlackBerry phones, if the threat model is an attacker stealing the device, then the kill chain for the attack is the likelihood that the attacker can guess the password within 10 attempts. If the password is moderately random and unique (say a unique combination of birthdays, addresses, old phone numbers, family names, etc., with one or two special characters), a length of 15-17 chars is probably more than sufficient. So, this is all that's required to reasonably mitigate the lost phone scenario. This is what most people do, hopefully.

However, if the threat model is that the attacker has daily access to your phone (family member, company insider, undercover agent, etc), so that they can attempt 2-3 PWs several times a day (for analysis, let's say 1000-10,000 attempts per year), then it becomes absolutely critical that the PW is truly complex, random and unique. Not many people do this, I'm afraid.

In the above "persistent" threat model, which is common for high net worth and prominent individuals, many industries, governments, etc., the appropriate mitigation is to 1) physically secure your phone at all times (no leaving it unattended EVER), 2) choose a long, complex, random password, and 3) monitor your device to see if there have been failed password attempts.

The reason longer passwords/phrases are considered best practice in general is because of the exponential increase in advanced persistent threats meant to defeat account lock out provisions. Previously secure passwords are being cracked regularly through patient testing using AI and machine-learning empowered analysis of exposed passwords, de-anonymized personal.information, open source intelligence (OSINT) research and social engineering to improve guessing algorithms.

The challenge for mobile phones is that in many cases both authentication factors (physical possession and passwords) are weak. So while the use of 2FA keeps them well protected from random, opportunistic compromise, they are much more susceptible to sophisticated, targeted attacks than people think.

Thanks for letting me explain my reasoning in detail.

Posted with my trusty Z10

[conite]

Conite, I think we all agree that typing in that many characters into a phone frequently would be inconvenient, and that not many people want to do that.

Finding the right balance of inconvenience vs. privacy and security is highly dependent on the threat model one is trying to address.

The entire premise of two-factor authentication is that it's based on something you know plus something you have. So, for most people's mobile phones the physical device is "something you have," and the password is "something you know." The level of security is then based on the degree of difficulty in an attacker obtaining both items.

For BlackBerry phones, if the threat model is an attacker stealing the device, then the kill chain for the attack is the likelihood that the attacker can guess the password within 10 attempts. If the password is moderately random and unique (say a unique combination of birthdays, addresses, old phone numbers, family names, etc., with one or two special characters), a length of 15-17 chars is probably more than sufficient. So, this is all that's required to reasonably mitigate the lost phone scenario. This is what most people do, hopefully.

However, if the threat model is that the attacker has daily access to your phone (family member, company insider, undercover agent, etc), so that they can attempt 2-3 PWs several times a day (for analysis, let's say 1000-10,000 attempts per year), then it becomes absolutely critical that the PW is truly complex, random and unique. Not many people do this, I'm afraid.

In the above "persistent" threat model, which is common for high net worth and prominent individuals, many industries, governments, etc., the appropriate mitigation is to 1) physically secure your phone at all times (no leaving it unattended EVER), 2) choose a long, complex, random password, and 3) monitor your device to see if there have been failed password attempts.

The reason longer passwords/phrases are considered best practice in general is because of the exponential increase in advanced persistent threats meant to defeat account lock out provisions. Previously secure passwords are being cracked regularly through patient testing using AI and machine-learning empowered analysis of exposed passwords, de-anonymized personal.information, open source intelligence (OSINT) research and social engineering to improve guessing algorithms.

The challenge for mobile phones is that in many cases both authentication factors (physical possession and passwords) are weak. So while the use of 2FA keeps them well protected from random, opportunistic compromise, they are much more susceptible to sophisticated, targeted attacks than people think.

Thanks for letting me explain my reasoning in detail.

Posted with my trusty Z10

How long would that last if every time you pick up your device you are on chance 4 of 10?

[bb10adopter111]

How long would that last if every time you pick up your device you are on chance 4 of 10?

Hopefully not long at all, but it's amazing how many people just accept little signals like that as being a software bug rather than a red flag.

That's why monitoring is so important in mitigating threats.

[dantheman77]

How long would that last if every time you pick up your device you are on chance 4 of 10?

"Ah, must've bumped the damn thing in my pocket"
"Damn cat..."
"Damn kids..."

[Thud Hardsmack]

"Ah, must've bumped the damn thing in my pocket"
"Damn cat..."
"Damn kids..."

I've never quite understood how the second two are an issue for anyone; the first one I've had happen with my z10 until I figured out it was mainly caused by bumping in my pocket - make the thing sit and stay in contact in pockets and it won't activate the screen. Or holster it. For anyone using devices made more recently this is mitigated by code for proximity detection (names can vary depending on brand). I'm not picking on you personally, just musing on those points.

[BigBadWulf]

For anyone beyond the wife and dog, the phone is made of unobtainium. This is all awesome theory, but seems to be turning into

For BlackBerry phones, if the threat model is an attacker stealing the device, then the kill chain for the attack is the likelihood that the attacker can guess the password within 10 attempts. If the password is moderately random and unique (say a unique combination of birthdays, addresses, old phone numbers, family names, etc., with one or two special characters), a length of 15-17 chars is probably more than sufficient. So, this is all that's required to reasonably mitigate the lost phone scenario. This is what most people do, hopefully.

Don't all Android and presumably all phones have a limit? This scenario would cover what percentage of threats? I'll guestimate 99% as an ignorant observer.

However, if the threat model is that the attacker has daily access to your phone (family member, company insider, undercover agent, etc), so that they can attempt 2-3 PWs several times a day (for analysis, let's say 1000-10,000 attempts per year), then it becomes absolutely critical that the PW is truly complex, random and unique. Not many people do this, I'm afraid.

How long would that last if every time you pick up your device you are on chance 4 of 10?

Hopefully not long at all, but it's amazing how many people just accept little signals like that as being a software bug rather than a red flag.

That's why monitoring is so important in mitigating threats.

Seems to me what is important still is the user. Those who engage their cerebral cortex win. Those that don't, most likely failed any of your advice to begin with.

The challenge for mobile phones is that in many cases both authentication factors (physical possession and passwords) are weak. So while the use of 2FA keeps them well protected from random, opportunistic compromise, they are much more susceptible to sophisticated, targeted attacks than people think.

I think I need some statistics on just how susceptible I am.

Thanks for letting me explain my reasoning in detail.

Thank you! I can appreciate yours and other's concerns, and your detail. Not sure the vast overwhelming majority of mobile phone users are in your orbit. This is starting to feel like...



I understand the seriousness of the topic, but seriously

[bb10adopter111]

For anyone beyond the wife and dog, the phone is made of unobtainium. This is all awesome theory, but seems to be turning into


Don't all Android and presumably all phones have a limit? This scenario would cover what percentage of threats? I'll guestimate 99% as an ignorant observer.






Seems to me what is important still is the user. Those who engage their cerebral cortex win. Those that don't, most likely failed any of your advice to begin with.




I think I need some statistics on just how susceptible I am.



Thank you! I can appreciate yours and other's concerns, and your detail. Not sure the vast overwhelming majority of mobile phone users are in your orbit. This is starting to feel like...



I understand the seriousness of the topic, but seriously

That's why I'm being clear. As I said, if the only threat model is a stolen phone, the most important thing is a UNIQUE,unguessable password of at least 6 characters (more is better) and the 10 failed attempt security-wipe control.

But the "insider" and "surveillance" threat model is very real for thousands of organizations and millions of individuals globally. If you use a PW that could be guessed by a family member, friend, coworker, partner, or anyone who could see your other passwords, you should consider it vulnerable to social engineering.

Posted with my trusty Z10